Make WordPress Core

Changeset 37646


Ignore:
Timestamp:
06/06/2016 09:33:30 PM (8 years ago)
Author:
rachelbaker
Message:

REST API: Create the general wp_check_jsonp_callback() function for validating JSONP callback functions.

Move the REST API JSONP callback validation check into a separate function named wp_check_jsonp_callback(). This allows plugins to use the built-in validation when handling JSONP callbacks.
Extremely Important Note: If you send JSONP in your custom response, make sure you prefix the response with /**/. This will mitigate the Rosetta Flash exploit. You should also send the X-Content-Type-Options:nosniff header, or even better, use the REST API infrastructure.

Props rmccue.
Fixes #28523.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/functions.php

    r37543 r37646  
    31063106
    31073107/**
     3108 * Check that a JSONP callback is a valid JavaScript callback.
     3109 *
     3110 * Only allows alphanumeric characters and the dot character in callback
     3111 * function names. This helps to mitigate XSS attacks caused by directly
     3112 * outputting user input.
     3113 *
     3114 * @since 4.6.0
     3115 *
     3116 * @param string $callback Supplied JSONP callback function.
     3117 * @return bool True if valid callback, otherwise false.
     3118 */
     3119function wp_check_jsonp_callback( $callback ) {
     3120    if ( ! is_string( $callback ) ) {
     3121        return false;
     3122    }
     3123
     3124    $jsonp_callback = preg_replace( '/[^\w\.]/', '', $callback, -1, $illegal_char_count );
     3125
     3126    return 0 === $illegal_char_count;
     3127}
     3128
     3129/**
    31083130 * Retrieve the WordPress home page URL.
    31093131 *
  • trunk/src/wp-includes/rest-api/class-wp-rest-server.php

    r37490 r37646  
    281281            }
    282282
    283             // Check for invalid characters (only alphanumeric allowed).
    284             if ( is_string( $_GET['_jsonp'] ) ) {
    285                 $jsonp_callback = preg_replace( '/[^\w\.]/', '', wp_unslash( $_GET['_jsonp'] ), -1, $illegal_char_count );
    286                 if ( 0 !== $illegal_char_count ) {
    287                     $jsonp_callback = null;
    288                 }
    289             }
    290             if ( null === $jsonp_callback ) {
     283            $jsonp_callback = $_GET['_jsonp'];
     284            if ( ! wp_check_jsonp_callback( $jsonp_callback ) ) {
    291285                echo $this->json_error( 'rest_callback_invalid', __( 'The JSONP callback function is invalid.' ), 400 );
    292286                return false;
  • trunk/tests/phpunit/tests/rest-api.php

    r36831 r37646  
    323323    }
    324324
     325    public function jsonp_callback_provider() {
     326        return array(
     327            // Standard names
     328            array( 'Springfield', true ),
     329            array( 'shelby.ville', true ),
     330            array( 'cypress_creek', true ),
     331            array( 'KampKrusty1', true ),
     332
     333            // Invalid names
     334            array( 'ogden-ville', false ),
     335            array( 'north haverbrook', false ),
     336            array( "Terror['Lake']", false ),
     337            array( 'Cape[Feare]', false ),
     338            array( '"NewHorrorfield"', false ),
     339            array( 'Scream\\ville', false ),
     340        );
     341    }
     342
     343    /**
     344     * @dataProvider jsonp_callback_provider
     345     */
     346    public function test_jsonp_callback_check( $callback, $valid ) {
     347        $this->assertEquals( $valid, wp_check_jsonp_callback( $callback ) );
     348    }
     349
    325350}
Note: See TracChangeset for help on using the changeset viewer.